Accessing your Raspberry Pi securely from the Internet using ZeroTier
Tue, Jun 27, 2017
(Edited on 14th June 2020 to update the download link.)
When you need to access your Raspberry Pi from home, exposing your public IP/using dynamic DNS and opening ports can expose your Pi to potential security threats, especially if you're using password-based authentication or running services behind these ports.
The well-known method of doing it is to use a VPN. Whereas OpenVPN is a common solution, ZeroTier heavily outshines it. OpenVPN can be cumbersome to set up and maintain (especially if things go wrong), and provisioning new devices can be a pain with having to generate certificates. In comparison, ZeroTier can be installed with a single bash script, and your virtual network can be managed with their web panel which enables you to provision devices, assign static IPs and more.
If you're wondering how secure and reliable ZeroTier is, check out their manual. ZeroTier is also open source, with their codebase available on GitHub.
Installation
ZeroTier Central
ZeroTier Central is the web panel where you control your virtual network and manage connected devices. First, set up your network by registering your account at https://my.zerotier.com/. Next, create your network by navigating to https://my.zerotier.com/network and clicking Create. Then, click on your newly created network entry and follow these steps:
- Change the name to something less random
- Under IPv4 Auto-Assign, check Auto-Assign from Range and click on an IP range which you know will not conflict with the private IP ranges of any networks you use your devices on (ZeroTier will automatically assign your devices an IP from this range)
- Under Access Control, ensure Certificate (Private Network) is checked
- Take note of the Network ID
Raspberry Pi
We will now set up ZeroTier on your Raspberry Pi. Note that if you are using a Raspberry Pi B or Zero W and run into issues, you may have to apply a patch detailed here (thanks to mrexodia for the tip!). Follow the following instructions:
- Run the shell command under their download page (the more secure, GPG option is recommended).
- To ensure ZeroTier starts on system boot, run
sudo systemctl enable zerotier-one
- Check if everything is working by running
sudo zerotier-cli status
; it should return200 info [ID] [version] ONLINE
if all is fine - To join the network, run
sudo zerotier-cli join [Network ID]
- Authenticate your device by going to
https://my.zerotier.com/network/[Network ID]
(the configuration page we used in the previous section), scrolling down to Members and checking the Auth checkbox - Optionally, assign your Pi a nicer IP address (such as one ending in .1) by going to the Managed IPs column, entering an IP address within the IP range you chose in the previous section, then pressing the plus icon to save your changes (you can also delete the old one by pressing the bin icon)
- Check that your Raspberry Pi is properly connected by running
sudo zerotier-cli listnetworks
to see200 listnetworks [...] OK PRIVATE [...] [The IP(s) you assigned the Raspberry Pi]/24
- To have your Raspberry Pi automatically join the virtual network on system boot, simply run
sudo touch /var/lib/zerotier-one/networks.d/[Network ID].conf
- If you have UFW or any other firewall software installed, ensure that you allow traffic going to and from your private IP range
Client Devices
Finally, let's set up your client devices you will use to connect to the Raspberry Pi from any Internet-available network in the world. On Linux clients, the setup is the same as for the Raspberry Pi. ZeroTier also has Android and iOS apps which you can find on their download page. After connecting your client devices to the same network, you can check that the other devices are resolvable using sudo zerotier-cli listpeers
. Finally, you can connect to your Raspberry Pi by using the private IP address you assigned to it.
Conclusion
For me, using ZeroTier is a very pleasant experience. I can access my Raspberry Pi from anywhere in the world with an Internet connection without having to use port forwarding or exposing my Pi directly to the Internet. Another added advantage is that I can add a UFW/iptables rule to block all inbound traffic to SSH and other services originating from all IP addresses other than my home and ZeroTier IP address ranges. The time spent setting up your devices is well worth the security and convenience which ZeroTier provides.
If you found this blog post useful or have any questions, leave a comment below or tweet me @KelvZhan!